Shadow IT Menace In The Era of GDPR Compliance

Pallavi Varanasi Cloud Security Expert - CloudCodes Software
  • November 9th, 2020

Shadow IT Posing Serious Risks to GDPR Compliance

Shadow IT is the unauthorized use of apps and services over the net by the employees of the enterprise in order to fasten up their tasks. But the obvious outcome of this is that the enterprises face the risk of confidential data being getting shared with third-party services. The use of third-party services by the employees without the approval of the IT department in an enterprise has led to the rise of the Shadow IT menace, and even though these are downloaded without ill-intent or through negligence for the sake of convenience, it poses a serious data security risk. The proliferation of innumerable online services and apps in the cloud has led to the employees downloading them without prior approval so that their work process gets streamlined but the companies are unaware of the enterprise data being processed or transferred in these unsecured channels. Now with EU’s General-Data-Protection-Regulation (GDPR) coming into effective force from 25th May 2018, enterprises are struggling to have their compliance measures in place and the greatest challenge to its implementation is the Shadow IT menace. The enterprises risk the payment of hefty fines if found being non-compliant with GDPR implementation.

The Rampant Spread of Shadow IT in Enterprises

The principal reason why employees resort to Shadow IT services has been that the enterprises do not provide adequate updated tools for them to work with. This leads to a series of challenges for the employees who get burdened with heavy workloads and insufficient tools to carry out the tasks. When time is limited and targets are to be completed, the employees look for ways to cut corners and get their tasks done speedily. As a consequence, they unavoidably start using or downloading online tools to hasten their jobs. Many-a-times, the requests sent by the employees to the IT department for requests for proper authorized tools get stuck or are cleared only on a much later date. All these lead to the inevitable rise of Shadow IT.

Shadow IT in the Way of GDPR Compliance

Under the GDPR, enterprises should not process sensitive information for any other purposes other than for which they have obtained consent. When employees of the enterprise start using third-party apps or services without prior approval, the services get access to the confidential data. This is a clear violation of GDPR rules and regulations because the enterprise is sharing the confidential data with the third-parties without approval, albeit unknowingly.

GDPR Compliance and Issues Arising due to Shadow IT Menace

Shadow IT engages non-authorized third-parties and this seriously breaks all the regulations set aside by the GDPR. When sensitive data is shared or uploaded to the unsecured internet services, it means that it is being shared with external individuals and stakeholders. By doing this, employees break their obligation of confidentiality, and thus, the enterprise fails to protect its sensitive data. GDPR advocates the ‘Right to be Forgotten’ wherein, an individual can request the enterprise to erase all his personal information. When this request is forwarded to an enterprise, it will not be fully able to comply with the request since the personal information is already shared through Shadow IT with other external services. Here, the enterprise will be held accountable for the fault and will be liable to pay hefty fines when found GDPR non-compliant.

Shadow IT Menace Elimination through CASB solutions

Attempts of Shadow IT can be thwarted through the implementation of Cloud Access Security Brokers solutions with their Data Loss Prevention (DLP) modules. The CASB solution helps enterprises to monitor sensitive data through the enforcement of policies and access control. Any violations in the policies are reported to the IT admin and it is possible that corrective measures are taken to secure the data. Checking the transfer of sensitive data is carried out as a countermeasure to Shadow IT. All the organizations should work effectively to speed up their work on removing the existence of Shadow IT. This will not only secure their data but also make them GDPR compliant. With just a couple of months remaining for the GDPR to become effective, it is high time that the companies implement CASB solutions and tackle the Shadow IT menace.